If you ever had machine with two lan cards that needs to have failover with for example each lan card connected to it`s own router with internet connection, then this article is for you.

While working in one company I had a request that two Cisco routers each needs to be connected to one lan card on the same machine and on the other side they are connected to one mobile operator using IPSec over GRE tunnel. I made the setup on Cisco routers and configure parameters for IPSec and GRE, but the problem starts when I want to access the machine from both sides. If you configure gateway in the normal way you will get only one router as default gateway and all the traffic form the machine will go through that gateway. But in this case you need the traffic that comes from router1 to send using router1 and from router2 to router2. This is done using policy routing. Following commands will configure routing table to route traffic to corresponding gateway:

First line defines policy that all traffic that comes from ip 192.168.0.10 (eth0) will use routing table uplink1, and second line adds default gateway 192.168.0.1 (router1) to table uplink1 using eth0. Same commands are for eth1 with corresponding IPs. Last line is important because we still don`t have default gateway in the main routing table. Using nexthop we can add several gateways and give them weight if we want to prioritize them or in this case give them the same weight tu use them equally. You can put this commands into /etc/rc.local if you want them to be executed everytime on start up.

In the end we forgot to edit /etc/iproute2/rt_tables and define tables. It should look something like this:

If you use EoIP in bridge mode and you have DHCP server on both sides but you want to separate them to serve only the side that it is working on, you need to block DHCP traffic through the tunnel. This is also useful to offload traffic through the tunnel since internet link is usually bottle neck in the network and we don`t want to load it unnecessary.

Linux is equipped with ebtables that can inspect all ethernet traffic, and filter in our case DHCP brodacasts. To enable it go to Administration->Commands, Edit startup script and add following lines.

Recently we have discovered DD-WRT linux distribution that is meant for consumer routers like TP-Link and etc., to get more advanced features. One of the interesting capabilities is Ethernet over IP (EoIP) that creates a tunnel between two points and forward all ethernet packets between. This will bridge two points like there are on the same switch. So you are now wondering why do I need EoIP when I have VPN. VPN is working on IP and it will pass only IP traffic through the tunnel, but if you need some other protocol like (IPX, SCTP, RIP, OSPF etc.), EoIP in bridge mode is the easiest way to do it.

One of the disadvantage in DD-WRT is that you need to have static IP for EoIP tunnels and we have made a solution to make it work with dynamic IPs using any dynamic DNS service. Solution is made up from two scripts. First one checks if the ip of dynamic DNS has changed, and if true it will resolve the ip and change it in the tunnel configuration:

You need to change example.dyndns.org to dynamic DNS of remote peer for the tunnel and save the script in DD-WRT, and if you are not using tunnel no. 1 then replace oet1 with oetx (where x is the number of EoIP tunnel you are using). You can go to Administration->Commands, Edit custom script and paste the scripte there.

Now that you created script for EoIP, you need to add it to cron job so that the script will be executed periodically. This is second script that will be executed on DD-WRT startup and fixing some problems with cron.

Share this:

Today we have finally met at Zarko`s house, and decided to bring this baby to life. It was difficult to decide all the small things like theme of the blog, logo picture, some general text, but we succeeded to resolve all the obstacles so we can start our first blog.

Soon we will post some interesting problems that we encountered recently and give this blog some meaning for existence. 😉